veto cloud - Veto

The veto cloud command manages authentication and context for Veto Cloud.

Syntax

veto cloud <subcommand> [options]

Subcommands

Authenticate with Veto Cloud using device flow.

veto cloud login [--base-url <url>]

whoami

Show active account and organization context.

veto cloud whoami [--base-url <url>] [--json]

org use

Switch active organization.

veto cloud org use <org-id>

project use

Switch active project.

veto cloud project use <project-id>

logout

Clear local cloud session.

veto cloud logout

Options

Base URL

--base-url <url>

Override cloud API base URL (default: https://api.veto.so). Example:

--base-url https://staging.veto.so

JSON Output

--json

Output result as JSON instead of human-readable text. Example:

--json

Examples

veto cloud login

Output:

Veto Cloud Login
================

Opening browser to authenticate...

Please visit: https://app.veto.so/device?code=ABC-123

Waiting for authentication...

✓ Authenticated successfully!

User: [email protected]
Organization: Acme Corp (org_abc123)
Project: my-agent-app (proj_xyz789)

Session saved to: ~/.veto/cloud-session.json

Check Current Context

veto cloud whoami

Output:

Veto Cloud Session
==================

User:
  Email: [email protected]
  Name: John Doe
  ID: user_abc123

Organization:
  Name: Acme Corp
  ID: org_abc123

Project:
  Name: my-agent-app
  ID: proj_xyz789

API URL: https://api.veto.so
Session: Active

Switch Organization

veto cloud org use org_xyz456

Output:

✓ Switched to organization: org_xyz456

Organization context updated.
Run 'veto cloud whoami' to verify.

Switch Project

veto cloud project use proj_new789

Output:

✓ Switched to project: proj_new789

Project context updated.
Run 'veto cloud whoami' to verify.

Logout

veto cloud logout

Output:

✓ Logged out successfully

Cloud session cleared.
Run 'veto cloud login' to authenticate again.

JSON Output

veto cloud whoami --json

Output:

{
  "ok": true,
  "data": {
    "user": {
      "id": "user_abc123",
      "email": "[email protected]",
      "name": "John Doe"
    },
    "organization": {
      "id": "org_abc123",
      "name": "Acme Corp"
    },
    "project": {
      "id": "proj_xyz789",
      "name": "my-agent-app"
    },
    "baseUrl": "https://api.veto.so",
    "authenticated": true
  }
}

Authentication Methods

Device Flow (Default)

veto cloud login

CLI generates device code
Opens browser to https://app.veto.so/device
User enters code and approves
CLI receives access token
Token saved to ~/.veto/cloud-session.json

API Key (Alternative)

export VETO_API_KEY=veto_live_abc123...
veto cloud whoami

API key takes precedence over device flow session.

Session Storage

Location

~/.veto/cloud-session.json

Format

{
  "baseUrl": "https://api.veto.so",
  "accessToken": "...",
  "refreshToken": "...",
  "accessTokenExpiresAt": "2024-03-05T12:00:00.000Z",
  "organizationId": "org_abc123",
  "projectId": "proj_xyz789",
  "user": {
    "id": "user_abc123",
    "email": "[email protected]",
    "name": "John Doe"
  }
}

Security

File is only readable by owner (chmod 600)
Contains sensitive tokens - do not share
Automatically refreshed when expired

Use Cases

Team Collaboration

# Each developer authenticates
veto cloud login

# Share organization and project IDs (not tokens!)
veto cloud org use org_team_abc
veto cloud project use proj_shared_xyz

# Deploy policies to shared project
veto policy apply --file ./rules.yaml --target cloud

Multi-Environment Workflow

# Development
veto cloud project use proj_dev_123
veto policy apply --file ./rules.yaml --target cloud

# Staging
veto cloud project use proj_staging_456
veto policy apply --file ./rules.yaml --target cloud

# Production
veto cloud project use proj_prod_789
veto policy apply --file ./rules.yaml --target cloud

CI/CD Authentication

# .github/workflows/deploy.yml
name: Deploy Policies

env:
  VETO_API_KEY: ${{ secrets.VETO_API_KEY }}

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - run: npm install -g veto-cli
      - run: veto cloud whoami  # Verify auth
      - run: veto policy apply --file ./rules.yaml --target cloud

Switching Between Accounts

# Log out of current account
veto cloud logout

# Log in with different account
veto cloud login

# Or use different API key
export VETO_API_KEY=veto_live_different_key

Troubleshooting

Error: Authentication failed: Device code expired

Solution:

# Try again (code expires after 5 minutes)
veto cloud login

# Or use API key
export VETO_API_KEY=your-key-here
veto cloud whoami

Session Expired

Error: Unauthorized: Access token expired

Solution:

# Session auto-refreshes, but if it fails:
veto cloud login

# Or use fresh API key
export VETO_API_KEY=your-key-here

Organization Not Found

Error: Organization 'org_xyz' not found or access denied

Solution:

# Check available organizations
veto cloud whoami

# Contact org admin for access
# Or use correct org ID
veto cloud org use org_correct_id

Network Issues

Error: Unable to connect to https://api.veto.so

Solution:

# Check connectivity
curl https://api.veto.so/health

# Check firewall/proxy settings
echo $HTTP_PROXY
echo $HTTPS_PROXY

# Use custom base URL if needed
veto cloud login --base-url https://custom.veto.so

Best Practices

1. Use Device Flow for Development

# For local development
veto cloud login

2. Use API Keys for CI/CD

# For automated workflows
export VETO_API_KEY=${{ secrets.VETO_API_KEY }}

3. Never Commit Credentials

# .gitignore
.veto/
.env
*.secret

4. Rotate Keys Regularly

# Generate new API key in web UI
# https://app.veto.so/settings/api-keys

# Update in CI secrets
# Update local .env files

5. Use Project Context

# Set once, use everywhere
veto cloud project use proj_abc123

veto policy apply --file ./rules.yaml --target cloud
veto guard check --tool xyz --args '{}' --mode cloud

Environment Variables

VETO_API_KEY

API key for authentication (takes precedence over device flow).

export VETO_API_KEY=veto_live_abc123...

VETO_API_URL

Override cloud API base URL.

export VETO_API_URL=https://staging.veto.so

Next Steps

Apply Policies to Cloud - Deploy policies
Generate Policies - Create cloud policies
Run Doctor - Verify cloud connectivity
Guard Check in Cloud - Test against cloud rules

Getting Started

Commands

​Syntax

​Subcommands

​login

​whoami

​org use

​project use

​logout

​Options

​Base URL

​JSON Output

​Examples

​Login

​Check Current Context

​Switch Organization

​Switch Project

​Logout

​JSON Output

​Authentication Methods

​Device Flow (Default)

​API Key (Alternative)

​Session Storage

​Location

​Format

​Security

​Use Cases

​Team Collaboration

​Multi-Environment Workflow

​CI/CD Authentication

​Switching Between Accounts

​Troubleshooting

​Login Failed

​Session Expired

​Organization Not Found

​Network Issues

​Best Practices

​1. Use Device Flow for Development

​2. Use API Keys for CI/CD

​3. Never Commit Credentials

​4. Rotate Keys Regularly

​5. Use Project Context

​Environment Variables

​VETO_API_KEY

​VETO_API_URL

​Next Steps

Build docs developers (and LLMs) love

Syntax

Subcommands

login

whoami

org use

project use

logout

Options

Base URL

JSON Output

Examples

Login

Check Current Context

Switch Organization

Switch Project

Logout

JSON Output

Authentication Methods

Device Flow (Default)

API Key (Alternative)

Session Storage

Location

Format

Security

Use Cases

Team Collaboration

Multi-Environment Workflow

CI/CD Authentication

Switching Between Accounts

Troubleshooting

Login Failed

Session Expired

Organization Not Found

Network Issues

Best Practices

1. Use Device Flow for Development

2. Use API Keys for CI/CD

3. Never Commit Credentials

4. Rotate Keys Regularly

5. Use Project Context

Environment Variables

VETO_API_KEY

VETO_API_URL

Next Steps